GDPR one year on
Written by Joseph Poppy on 24/05/2019
The interesting thing to note here is that, whilst it was past the GDPR deadline, the issue in question occurred beforehand, meaning the company could only be held as accountable as the UK Data Protection Act would allow. £500,000 was the maximum penalty. Had the whole scandal occurred a few months later, we may have been looking at a considerably larger sum.
The remaining fines have been rather small in comparison, such as a Polish firm fined £187,000 (approximate some amount of Euros) for scraping data on individuals without their consent.
GDPR was quite a dramatic overhaul of data protection law. It’s worth noting that there were not many legal examples for regulatory bodies to build from. It’s understandable that they’re reluctant to lean too heavily into the fines at this relatively early stage when people are still trying to get to grips with the legislation (including them).
Investigations take time
As cooking pasta has taught me, everything takes time, often much longer than you feel it ought to. The aforementioned fining of Facebook shows that misuse of data and data breaches don’t immediately come to light. In fact, it can take months for a breach to even be detected. Then regulatory bodies have to do their own investigations and see where the fault lies. Was the company doing everything they could? Were they directly responsible? How much damage was done? Did the company attempt to cover it up in anyway? All of these questions need to be answered before any fines can be decided. Whilst the statement ‘it is a complex process’, often seems like a way for people to say ‘we don’t know, please stop asking us questions’, investigating a breach is a complex process. It’s likely that we’ll start seeing fines hitting companies with greater frequency as investigations are concluded. We may even see them getting bigger.
Take the British Airways hack, for example. Whilst they successfully reported the breach within the 72-hour period and cooperated with regulatory bodies, under GDPR, they could potentially face some hefty financial repercussions. The same goes for the Marriott hack.
Has GDPR been worth it?
I think it’s fair to say, that the level of authority GDPR has given data subjects over how their personal data is to be used is a good thing. It’s certainly something that many businesses seem to be taking seriously. Whenever I’m browsing the internet, I am constantly having to click ‘I accept’ to privacy disclaimers. Although, I don’t actually read what I’m accepting, I’m sure you don’t either. We could have both accepted responsibility for things we’re not qualified for.
In terms of whether it’s actually having an effect – well, only time will tell. Despite being agreed in 2016, we found a lot of companies only started worrying about GDPR about a day or two before the enforcement day. It’s good to know old habits die hard. We are now a year on from the enforcement date, but in terms of wide-reaching legal legislation, it’s too early to quantify its effectiveness. It’s still a legal requirement though, so don’t take this to mean you can sit back and relax. Down that path lies fines. So, if you’re still struggling with compliance, book yourself a gap analysis, schedule an implementation project or even let us fulfil your DPO responsibilities.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.